Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Post-login prompt to verify 2FA options are up to date #275

Open
dd32 opened this issue Jul 4, 2024 · 1 comment
Open

Post-login prompt to verify 2FA options are up to date #275

dd32 opened this issue Jul 4, 2024 · 1 comment

Comments

@dd32
Copy link
Member

dd32 commented Jul 4, 2024

We should be prompting users upon login that their account details are still up-to-date, and that they have access to their 2FA options.

For example; I login with my Security key, I should be prompted to verify that I..

  • have the same email address
  • still have my TOTP app setup (hint: I don't, intentionally)
  • that my backup security key is still valid
  • still have access to my recovery codes

This would not be prompted every time, but perhaps once every other month.

It's easy to become complacent when using a device built-in security key (Mac TouchID, Windows Hello) to let these become outdated as the login process can be very frictionless.

The intention is that by reminding users of these, that we'd be enforcing that they need these things in order to be able to recover their account if they lose access to their main 2FA method.
@dd32
Copy link
Member Author

dd32 commented Jul 31, 2024

See discussion here:

#20 (comment)

I was thinking that the interstitial added via WordPress/wordpress.org#351 could be extended to:

  • Prompt after a month that they have their Recovery codes
  • Prompt to verify the methods listed are still current (Ie. do you still have that security key after not using it for 3 months? - That Passkey might be on an old laptop for example)
  • Prompt after login when they have less than 5 backup codes remaining
  • Prompt regularly to verify their email address is current?

#20 (comment)

Part of the problem with potentially over-prompting is that they become irrelevant, and also, if we're doing something different to other services, the users will probably be annoyed by them!

Just thinking how many times i've been prompted to either check my settings or what methods are valid - it's probably close to zero times, unless being forced to change the method of auth.

#20 (comment)

Apparently GitHub does a 1-month after 2FA enable to verify the settings are expected, which is probably enough to prompt/remind you that "oh.. I think i threw that scrap of paper out.." or "I was going to add that extra key later and never did.."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
1 participant
@dd32